NYCPHP Meetup

NYPHP.org

[nycphp-talk] Promote Secure Coding

David Krings ramons at gmx.net
Wed May 21 13:22:18 EDT 2014 

On 5/21/2014 11:09 AM, Gary Mort wrote:
> $name = $_GET['name'];
> $get = function($varName) {
>    return filter_input(INPUT_GET, $varName, FILTER_SANITIZE_STRING); }
>
> These 2 lines create a function to remove any HTML tags from a query string variable and return it.

First of all, thanks for the explanation. But what would one do if the string 
is supposed to contain HTML tags? Just because we want to remove HTML tags 
from some input we might not want to remove it from all input. Also, maybe we 
want to employ different types of filters?

Maybe the right thing in a tutorial is to first demo $name = $_GET['name']; 
and then explain why using input_filter is a good idea and which other filter 
options there are, such as first sanitizing for email and then checking for a 
valid email address format (that is neat!). Cleaning or filtering input is a 
second step.
Once that concept is clear, introduce the your proposal as a means to make it 
impossible to forget to filter input and point out the potential drawback.
I find tutorials and books intimidating that assume that everyone is stupid 
except the author and that one first has to go through a few dozen steps to 
'fix' what the author considers totally broken. Ever read a book from Joe 
Celko? As much as he is an SQL guru he is a lousy author.

Does the filter rip out anything that looks like a tag or does it actually 
compare against a list? So would a potentially harmless <snicker> get taken 
out as well? Explaining that all will take a few pages and examples and the 
tutorial user probably lost interest already. Knowing better I'd appreciate 
that excourse, because it is better that way than any of these Java tutorials 
that tell you to use
public static final String DEPARTMENT = "Development ";
and fail to explain what public, static, and final actually do and why you'd 
want to use it and why it is different within a method and outside a method. 
For that reason I tossed a good number of Java tutorials in the digital ash can.

I get your point and found it very informatibe because I didn't come across 
this way back when I did more with PHP. Most likely because it was not covered 
in the tutorials and books that I used.

- David

More information about the talk mailing list